Orgs, Spaces, Roles, and Permissions

This topic describes orgs and spaces in Pivotal Application Service foundations. It also describes the default permissions for user roles in PAS.

Overview

PAS uses a role-based access control (RBAC) system to grant appropriate permissions to PAS users.

Admins, Org Managers, and Space Managers can assign user roles using the Cloud Foundry Command Line Interface (cf CLI). For more information, see Users and Roles in Getting Started with the cf CLI  or Apps Manager.

Orgs

An org is a development account that an individual or multiple collaborators can own and use. All collaborators access an org with user accounts, which have roles such as Org Manager, Org Auditor, and Org Billing Manager. Collaborators in an org share a resource quota plan, apps, services availability, and custom domains.

By default, an org has the status of active. An admin can set the status of an org to suspended for various reasons such as failure to provide payment or misuse. When an org is suspended, users cannot perform certain activities within the org, such as push apps, modify spaces, or bind services.

For more information about the actions that each role can perform, see User Roles and User Role Permissions.

For details on what activities are allowed for suspended orgs, see Roles and Permissions for Suspended Orgs.

Spaces

A space provides users with access to a shared location for app development, deployment, and maintenance. An org can contain multiple spaces. Every app, service, and route is scoped to a space. Roles provide access control for these resources and each space role applies only to a particular space.

Org managers can set quotas on the following for a space:

  • Usage of paid services
  • Number of app instances
  • Number of service keys
  • Number of routes
  • Number of reserved route ports
  • Memory used across the space
  • Memory used by a single app instances

User Roles

A user account represents an individual person within the context of a Pivotal Application Service foundation. A user can have one or more roles. These roles define the user’s permissions in orgs and spaces.

Roles can be assigned different scopes of User Account and Authentication (UAA) privileges. For more information about UAA scopes, see Scopes in Component: User Account and Authentication (UAA) Server.

The following describes each type of user role in PAS:

  • Admin: Perform operational actions on all orgs and spaces using the Cloud Controller API. Assigned the cloud_controller.admin scope in UAA.
  • Admin Read-Only: Read-only access to all Cloud Controller API resources. Assigned the cloud_controller.admin_read_only scope in UAA.
  • Global Auditor: Read-only access to all Cloud Controller API resources except for secrets, such as environment variables. The Global Auditor role cannot access those values. Assigned the cloud_controller.global_auditor scope in UAA.
  • Org Managers: Administer the org.

  • Org Auditors: Read-only access to user information and org quota usage information.

  • Org Users: Read-only access to the list of other org users and their roles. When an Org Manager gives a person an Org or Space role, that person automatically receives Org User status in that org.

  • Space Managers: Administer a space within an org.

  • Space Developers: Manage apps, services, and space-scoped service brokers in a space.

  • Space Auditors: Read-only access to a space.

For non-admin users, the cloud_controller.read scope is required to view resources, and the cloud_controller.write scope is required to create, update, and delete resources.

Before you assign a space role to a user, you must assign an org role to the user. The error message Server error, error code: 1002, message: cannot set space role because user is not part of the org occurs when you try to set a space role before setting an org role for the user.

User Role Permissions

Each user role includes different permissions in a Pivotal Application Service foundation. The following sections describe the permissions associated with each user role in both active and suspended orgs in PAS.

Roles and Permissions for Active Orgs

The following table describes the default permissions for various PAS roles in active orgs.

Note: You can use feature flags to edit some of the default permissions in the following table. For more information, see Using Feature Flags.

Activity Admin Admin Read-Only Global Auditor Org Manager Org Auditor Space Manager Space Developer Space Auditor
Scope of operation Org Org Org Org Org Space Space Space
Add and edit users and roles Yes 1 1
View users and roles Yes Yes Yes Yes Yes Yes Yes Yes
Create and assign org quota plans Yes
View org quota plans Yes Yes Yes Yes Yes Yes Yes Yes
Create orgs Yes 2 2 2 2 2
View all orgs Yes Yes Yes
View orgs where user is a member Yes3 Yes3 Yes3 Yes Yes Yes Yes Yes
Edit, rename, and delete orgs Yes Yes4
Suspend or activate an org Yes
Create and assign space quota plans Yes Yes
Create spaces Yes Yes
View spaces Yes Yes Yes Yes Yes Yes Yes
Edit spaces Yes Yes Yes
Delete spaces Yes Yes
Rename spaces Yes Yes Yes
View the status, number of instances, service bindings, and resource use of apps Yes Yes Yes Yes Yes Yes Yes
Add private domains5 Yes Yes
Deploy, run, and manage apps Yes Yes
Use app SSH6 Yes Yes
Instantiate and bind services to apps Yes Yes
Manage global service brokers Yes
Manage space-scoped service brokers Yes Yes
Associate routes5, instance counts, memory allocation, and disk limit of apps Yes Yes
Rename apps Yes Yes
Create and manage Application Security Groups Yes
Create, update, and delete an Isolation Segment Yes
List all Isolation Segments for an org Yes Yes Yes7 Yes7 Yes7 Yes7 Yes7 Yes7
Entitle or revoke an Isolation Segment Yes
List all orgs entitled to an Isolation Segment Yes Yes Yes7 Yes7 Yes7 Yes7 Yes7 Yes7
Assign a default Isolation Segment to an org Yes Yes
List and manage Isolation Segments for spaces Yes Yes
List entitled Isolation Segment for a space Yes Yes Yes Yes Yes Yes Yes
List the Isolation Segment on which an app runs Yes Yes Yes Yes Yes Yes Yes

1Not by default, unless feature flag set_roles_by_username is set to true.

2Not by default, unless feature flag user_org_creation is set to true.

3Admin, admin read-only, and global auditor roles do not need to be added as members of orgs or spaces to view resources.

4Org Managers can rename their orgs and edit some fields; they cannot delete orgs.

5Unless disabled by feature flags.

6This assumes that SSH is enabled for the platform, space, and app. For more information, see SSH Access Control Hierarchy.

7Applies only to orgs to which the user account belongs.

Roles and Permissions for Suspended Orgs

The following table describes roles and permissions applied after an operator sets the status of an org to suspended.

Activity Admin Admin Read-Only Global Auditor Org Manager Org Auditor Space Manager Space Developer Space Auditor
Scope of operation Org Org Org Org Org Space Space Space
Add and edit users and roles Yes
View users and roles Yes Yes Yes Yes Yes Yes Yes Yes
Create and assign org quota plans Yes
View org quota plans Yes Yes Yes Yes Yes Yes Yes Yes
Create orgs Yes
View all orgs Yes Yes Yes
View orgs where user is a member Yes Yes Yes Yes Yes Yes Yes Yes
Edit, rename, and delete orgs Yes
Suspend or activate an org Yes
Create and assign space quota plans Yes
Create spaces Yes
View spaces Yes Yes Yes Yes Yes Yes Yes
Edit spaces Yes
Delete spaces Yes
Rename spaces Yes
View the status, number of instances, service bindings, and resource use of applications Yes Yes Yes Yes Yes Yes Yes
Add private domains Yes
Deploy, run, and manage applications Yes
Instantiate and bind services to applications Yes
Associate routes, instance counts, memory allocation, and disk limit of applications Yes
Rename applications Yes
Create and manage Application Security Groups Yes